WordPress Backup and Restore Plugin Arbitrary File Deletion Vulnerability

A vulnerability allowing arbitrary file deletion has been identified in the WordPress Backup and Restore Plugin, version 1.0.3. This issue arises from improper handling of parameters in AJAX requests, which authenticated attackers can exploit to delete files from the WordPress installation directory. The vulnerability is triggered by sending POST requests to admin-ajax.php with manipulated file_name and folder_name parameters.

Impact

Exploitation of this vulnerability allows authenticated users to delete arbitrary files from the WordPress installation directory, which could lead to the deletion of critical files and potentially disrupt the website's functionality.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to wp-admin/admin-ajax.php. The request must include the action 'barfw_backup_ajax_redirect', the call_type 'delete_backup', and the file_name and folder_name parameters specifying the file and directory to be deleted. The request should also include the necessary cookies to authenticate the user session.